Security Through Manipulation of Virtual Topography

ABSTRACT

Methods and apparatus are disclosed for improving network security through the manipulation of the apparent topology of the network. Such manipulation is accomplished by assigning multiple identifiers to nodes, using different destination identifiers for packets being sent to the same destination, and using source identifiers that do not correspond to the identifiers of the node sending the packets.

FIELD OF THE INVENTION

The field of the invention is network security.

BACKGROUND OF THE INVENTION

When sending a data object from one node on a network to another it iscommon practice to break the data object up into smaller pieces at asending node and to have the sending node send each piece across thenetwork in a data block portion of a packet. Such a packet typicallyalso includes a header that contains an identifier identifying adestination node and often an identifier identifying the sending/sourcenode as well. As an example, a node using IP packets to send a dataobject to another node will often break the data object up into anordered set of packets where each packet comprises a data block portioncontaining a piece of the data object, and a header portion the containsboth a source IP address and a destination IP address. The phrase“ordered set of packets” is used herein to denote any set of packetsused to transmit a data object between nodes such that the contents ofall of the data packets is necessary to reconstruct the data object at areceiving node. It is a set in the sense that all the packets arenecessary to recreate the data object, and ordered in the sense that thecontents of the packets must be ordered in a particular way to recreatethe data object. In some instances multiple data objects may betransmitted via a single ordered set of packets.

Unfortunately, the inclusion of source and destination identifiers inpacket headers provides a mechanism by which an entity that monitors theflow of packets across a network can identify nodes and possiblyreconstruct the topology of the network. Having their identifiers knownraises security concerns for the nodes as the identifier can be used tosend packets to the node and possibly to gain access to the node.

SUMMARY OF THE INVENTION

The present invention is directed to methods and apparatus for improvingsecurity securing networks through manipulation of virtual topography.

It is contemplated that security can be enhanced by manipulating theidentifiers used by nodes to receive packets and the identifiers thatnodes use in packet headers of packets being sent. Although applicableanywhere an identifier (ID) is used, focus will be given primarily tothree particular identifiers that will be referred to as the nodeidentifier, the source identifier, and the destination identifiers. Thenode identifier (NID) is an identifier that a particular node looks forwhen observing packets being transmitted on a network to determine if aparticular packet is being sent to the node. The source (SID) identifieris an identifier that the node uses when sending packets having a headerthat contains a source identifier, and the destination identifier (DID)is an identifier that the node uses when specifying the destination of apacket. In previously known networks a node will often be assigned asingle identifier and will use that identifier as both the nodeidentifier and the source identifier.

It is contemplated that each node will be assigned a set of NIDs, a setof SIDs, and a set of DIDs for use in sending and receiving packets, andwill also be provided with a set of rules, a table, or some other IDdetermination mechanism (IDDM) by which the node can determine which IDsare to be used at a particular time. The node will then proceed to usethe IDDM to vary the SIDs and DIDs of packets it sends and the NID orNIDs it uses in filtering received packets.

It is contemplated that the methods and apparatus described herein maybe advantageously applied to IP networks where the NIDs, SIDs, and DIDsare IP addresses used to send and receive IP packets.

It is contemplated that IDDMs may employ various methods, but that insome instances it will be advantageous to utilize tables specifyingsequences of NIDs and sequences of pairs of SIDs and DIDs.

Various objects, features, aspects and advantages of the presentinvention will become more apparent from the following detaileddescription of preferred embodiments of the invention, along with theaccompanying drawings in which like numerals represent like components.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a schematic view of a network.

FIG. 1B is a schematic view of the apparent topology of the network ofFIG. 1A.

FIG. 1C is a schematic view of the apparent topology of a network havinga node assigned multiple identifiers.

FIG. 1D is a schematic view of a network having the apparent topology ofFIG. 1C.

FIG. 1E is a schematic view of a first possible apparent topology of anetwork having multiple nodes assigned multiple identifiers.

FIG. 1F is a schematic view of a second possible apparent topology of anetwork having multiple nodes assigned multiple identifiers.

FIG. 1G is a schematic view of a network having the apparent topology ofFIG. 1E.

FIG. 1H is an ID relationship table showing the relationships betweennodes, NIDs, SIDs, and DIDs for the network and packets of FIG. 1G andthe apparent topology of FIG. 1E.

FIG. 1I is a an ID relationship table corresponding to the apparenttopology of FIG. 1F.

FIG. 1J is a schematic view the apparent topology of the network of FIG.1A when NN SIDs are in use.

FIG. 1K is a schematic view of the apparent topology of the network ofFIG. 1A when all nodes use NN SIDs.

FIG. 1L is a schematic of an apparent topology achievable by combiningthe assignment of multiple identifiers to nodes and the use of NN SIDsby the nodes.

FIG. 1M is a schematic of an apparent topology achievable by combiningthe assignment of multiple identifiers to nodes and the use of NN SIDsby the nodes.

FIG. 1N is an ID relationship table corresponding to FIG. 1L.

FIG. 2A is a schematic view of a network comprising an intermediaryrouting node acting as a hub for communications between end routingnodes.

FIG. 2B is a table illustrating a possible set of SD Pairs used totransmit a packet across multiple segments of a network usingencapsulation, NN SIDs, and nodes assigned multiple NIDs.

FIG. 3A is a table illustrating a possible acceptable sequence of SDPairs that may be required to be used for packets to be accepted at adestination node.

FIG. 3B illustrates the use of a source key with a sequence of SD Pairsto validate packets.

FIG. 3C illustrates the use of a possible acceptable sequence of SDPair/Key combination that may be required to be used for packets to beaccepted at a destination node.

DETAILED DESCRIPTION

Referring to FIG. 1A, network 100 comprises node 110 sending a copy ofdata object 111 (a file containing the text of the Declaration ofIndependence) as an ordered set of packets 120 (some of which havealready been received by node 130) to node 130 where the packets arebeing reassembled as data object 131. The node ID (NID) of node 110 inFIG. 1 is “1” and the NID of node 130 in FIG. 1 is “3”. Each packet(121-123) of the set of packets 120 comprises a header having both asource ID (SID) and a destination ID (DID) which are equivalent to theNIDs of nodes 110 and 130. Nodes 110 and 130 are coupled together viatransmission medium 140.

The topology of network 100 can be determined by monitoring packetstransmitted via medium 140 from the SIDs and DIDs of the transmittedpackets. FIG. 1B is an illustration of what that topology would looklike where a circle is assigned to each SID and DID seen, and lines aredrawn between circles to indicate that SID/DID pairs seen in monitoredpackets. Thus, in FIG. 1B, the circles indicated that SID/DID values of“1” and “3” are visible, while the line indicates the SID/DID pair thatis visible.

It is contemplated that security could be improved by assigning aplurality of NIDs to a node such that the packets addressed with any ofthe currently assigned NIDs will be routed to and received by the node.The phrase “received by the node” is used herein to mean that not onlywill the packet physically reach the node but that the node will beprogrammed or otherwise adapted to recognize that it should performfurther processing on any packets having a DID equivalent to a currentlyassigned NID.

FIG. 1C illustrates the apparent topology of network 100 if node 130 isassigned a plurality of NIDs (3A, 3B, and 3C), and node 110 uses all ofthe assigned NIDs to send packets to node 130 as illustrated in FIG. 1D.The elements of FIG. 1D correspond to those of FIG. 1A with the primarychanges being in the SID and DID pairs (SD Pairs) of packets 121-123 andthe NIDs of node 130. Elements 111 and 131 and the data block contentsof packets 121-123 were left out of FIG. 1D to simplify thepresentation.

It is contemplated that security could be further improved by assigninga plurality of NIDs to all the nodes. FIG. 1E illustrates a possibleapparent topology of network 100 if both node 110 and node 130 areassigned a plurality of NIDs (1A, 1B, 1C, 3A, 3B, 3C), and node 110 usesall of the assigned NIDs to send packets to node 130 as illustrated inFIG. 1G. As with FIG. 1D, FIG. 1G provides a simplified view of thenetwork of FIG. 1A wherein the only difference is in regard to the NIDsassigned to the nodes and the SD Pairs used by packets 121-123. FIG. 1Fshows an alternate apparent topology if all possible SD Pairs are used.

FIGS. 1H and 1I are ID relationship tables that illustrate therelationships between the nodes and various IDs for each of the packetssent across the network where table 1H corresponds to the topology ofFIG. 1E and table 1I to the topology of FIG. 1F. It is important to notethat someone observing packets being transmitted be able to recreate, atmost, the SID and DID columns of the packets.

It is contemplated that security could also be improved by having a nodeuse SIDs in packets it sends that do not correspond to any NIDs assignedto the node. As an example, if node 110 of FIG. 1A used “2” as the SIDin any sent packets, the apparent topology of network 100 would be thatshown in FIG. 1J rather than that of FIG. 1B. By using SIDs that aren'tNIDs, the actual NIDs of the source node of the packets will not bevisible to anyone seeing the SIDs and DIDs of the packets.

It is contemplated that security could be further improved by having allnodes that send packets use SIDs that do not correspond to any assignedNIDs. As an example, if node 110 of FIG. 1A had a NID of “1” and used“2” as the SID of any sent packets, and node 130 of FIG. 1A had a NID of“3” and used a “4” as the SID of any sent packets, the apparent topologyof network 100 would be that shown in FIG. 1K rather than that of FIG.1B or 1J. By having all nodes use SIDs that aren't NIDs, the fact thatany two nodes are exchanging packets is hidden.

It is contemplated that security could be further improved by both usingnon-NID SIDs (NN SIDs), and assigning and using multiple NIDs to nodesto be used as DIDs on any packets sent to those nodes. Such use wouldallow one to create the appearance of any topology desired with FIGS. 1Land 1M illustrating two of the many possible topologies. FIG. 1Nprovides an ID relationship table corresponding to FIG. 1L. Once again,the only portion of the table of FIG. 1L that is visible to someoneexamining packets are the SID and DID columns showing the SD Pairs ofthe packets.

It is contemplated that further security improvements can be obtained byutilizing an intermediary routing node and encapsulation to exchangepackets between end routing nodes. FIG. 2A illustrates thephysical/actual topology of a network comprising two end routing nodes,210 and 230, and one intermediary routing node 220. End routing nodes210 and 230 act to couple sub-networks N1 and N3 to each other vianetwork N2. In a preferred embodiment networks N1 and N3 will be privatesub-networks while network N2 is a public network such as the Internet.If node 211 sends a packet to node 234, routing node 210 willencapsulate it an send it to intermediate routing node 220. Intermediaterouting node 220 will then strip the encapsulating packet off, andre-encapsulate and send the original pack sent by node 211 on to routingnode 230. Routing node 230 will then strip off the encapsulating packetand send it on to node 234. As such, the original packet from node 211would comprise the SD Pair (211,234) in its header as it traversessegment 241. Once encapsulated by node 210, the packet encapsulating theoriginal packet would have an SD Pair of (210, 220) if NN SIDs aren'tused, and only a single NID is assigned to each routing node as ittraverses segment 242. Once re-encapsulated, the packet encapsulatingthe original packet would have the SD Pair (220, 230) as it traversessegment 243. Finally the original packet with the SD Pair (211, 234)would traverse segment 244 to reach node 234.

Simply forcing all traffic passing between nodes 210 and 230 to passthrough node 220 provides a security enhancement (assuming the headersof any encapsulated packets are encrypted in some fashion) as anyoneviewing packets traversing segment 242 or segment 243 will only havevisibility to the SD Pairs used on those segments. If nodes 210, 220,and 230 are assigned multiple NIDs and if NN SIDs are used, the benefitsdescribed above come in to play as well. As an example, if node 210 werepictured as being in the position of node 110 of network 100, and node220 is the position of node 130, then the SD Pairs of encapsulatingpackets traversing segment 242 could be manipulated to give the apparenttopology of FIGS. 1L, 1M, or some other desired topology.

When using routing nodes and encapsulation, an ordered set of packetsmay comprise all the packets sent through a particular “tunnel” during agiven time period and thus may comprise packets that when reassembledmake up a plurality of data objects.

FIG. 2B is a table showing a possible set of SD Pairs used to transmitpackets from node 211 to node 234 across network 200 if: node 210 isassigned NIDs 1A, 1B, and 1C but uses SIDs 2A, 2B, and 2C whencommunicating with node 220; node 220 is assigned NIDs 3A, 3B, and 3Cfor use on segment 242 but uses SIDs 4A, 4B, and 4C when communicatingwith node 210; node 220 is assigned NIDs 5A, 5B, and 5C for use onsegment 243 but uses SIDs 6A, 6B, and 6C when communicating with node230; and node 230 is assigned NIDs 7A, 7B, and 7C but uses SIDs 8A, 8B,and 8C when communicating with node 220.

In preferred embodiments a set of ordered packets will comprise IPpackets being transmitted between private sub-networks across theinternet. Using network 200 as an example, nodes 210, 220, and 230 couldbe routers coupled to the Internet via one or more network interface(NIC) cards. Each NIC card of the routers could be programmed to acceptpackets addressed with any one of a set of DID/IP addresses. A sendingrouter could utilize any one of the IP Addresses currently assigned tothe destination router. It is contemplated that there may be someintermediate routers located between nodes 210 and 220 and/or betweennodes 220 and 230. In some instances it may be feasible to dynamicallyupdate the routing table of such routers to properly route packets usingthe IP addresses currently assigned to the nodes. However, it iscontemplated that it may be better to simply set up the routing tablesof such routers such that any one of a large set of IP addresses will beproperly routed to a node and then to simply allow the node to determinewhich packets it will pay attention to at any particular time as will bedescribed below.

It is contemplated that further security improvements can be obtained byadapting nodes to only accept packets that have particular SD Pairs, andto vary the list of acceptable SD Pairs over time. Acceptance of SDPairs may also be limited in regard to the order they are used.Acceptance may further be conditioned on the packet comprising anadditional key value that validates the authenticity of the packet. Ininstances where packets will traverse a public network and their orderof arrival cannot be relied upon it would be advantageous to utilizeadapt a particular node to accept any one of an acceptable combinationof IDs and/or keys. FIG. 3A provides a table that might be provided toeach of two nodes with one node using the table to set SD Pairs onoutgoing packets and the other node to determine whether incomingpackets should be accepted or discarded. As such, packets sent duringfirst time block may be assigned SD Pairs in the following sequence:(1A, 2B), (1C, 2A), (1A, 2C), (1B, 2B), (1C, 2C), (1A, 2A), (1E, 2E),(1F, 2F), (1G, 2G), (1G, 2F), (1F, 2E), (1E, 2G). It is contemplatedthat assigning SD Pairs in a particular order eliminates the need for aseparate sequence number such that a set of ordered pairs used totransmit a file or other data object can be sent and reassembled usingonly the SD Pairs of the packets. Alternatively, the inclusion of asequence number or other order identifier would permit the reuse of SDPairs within a time block.

In some instances it may be desirable to include another level ofsecurity by including a key in any packets set. Such a key might be partof the data block or the header of such packets and may be assigned inany manner as long as the receiving node is able to determine whichpackets comprise valid SD Pair and key combinations and which do not.Two of the many possible key assignment schemes possible are illustratedin FIGS. 3B and 3C. In FIG. 3B, a key is assigned to a particular nodesuch that every packet sent by that node comprises its key (which mayalso be changed over time and/or in accordance with a key maintenancescheme). In such an instance a receiving node will not only verify thatany received packet comprises a valid SD Pair, but that it alsocomprises a key from a known source In FIG. 3C, a separate key isassigned to each packet such that packet validation requires the packetcomprise an acceptable combination of SD Pair and key.

It should be noted that, although no other nodes are shown in thefigures, in reality one observing a segment of a public network wouldlikely see packets from a large number of sub-networks traversing thesegment with the extra traffic across the segment making it even moredifficult to identify packets of interest and to determine how suchpackets have to be grouped to reassemble the file or other data objectbeing sent. However, it is contemplated that further security can beprovided by having a node send dummy packets, i.e. packets that do notcomprise information being protected, and/or packets that do notcomprise a valid SD Pairs or SD Pair/Key combination.

It is contemplated that in some instances the packets of an ordered setof packets comprising the contents of a data object may be split amongmultiple segments. As an example, a sub-network might comprise multiplelinks to a public network in which case the packets of the ordered setcould be divided among the links for transmission.

It should be readily apparent that the methods and systems describedherein are not limited to a particular type of network, the use of aparticular type of protocol, or the use of a particular transmissionmedium. As such, they are equally applicable to wired and wirelessregardless of the physical topology or protocols used. However, it iscontemplated that the methods and systems herein are particularly welladapted for use on TCP/IP networks. In such instances, assigningmultiple IP addresses to NIC cards, manipulating the source anddestination IP addresses used in the IP header of any packets sent,and/or validating incoming packets based on the source and destinationIP addresses and possibly a key included in the packet provide a methodof transmitting data order sets of packets that is more secure thantransmission when such steps are not taken.

Thus, specific embodiments and applications of security methods andsystems have been disclosed. It should be apparent, however, to thoseskilled in the art that many more modifications besides those alreadydescribed are possible without departing from the inventive conceptsherein. The inventive subject matter, therefore, is not to be restrictedexcept in the spirit of the appended claims. Moreover, in interpretingboth the specification and the claims, all terms should be interpretedin the broadest possible manner consistent with the context. Inparticular, the terms “comprises” and “comprising” should be interpretedas referring to elements, components, or steps in a non-exclusivemanner, indicating that the referenced elements, components, or stepsmay be present, or utilized, or combined with other elements,components, or steps that are not expressly referenced.

1. A method of transmitting a set of ordered packets or a stream from anoriginating source node to a destination node, the method comprising:addressing a first packet of the ordered set of packets with a firstdestination identifier that exclusively identifies the destination node;addressing a second packet of the ordered set of packets with a seconddestination identifier—that exclusively identifies the destination node,but is different from the first destination identifier; and to thesource node sending the first and second packets to the destinationnode, whereby the packets are transmitted in a manner that increasessecurity of the transmission.
 2. The method of claim 1 wherein each ofthe set of ordered packets is an IP packet, and the provided identifiersare IP addresses.
 3. The method of claim 2 further comprising:addressing a first packet of the ordered set of packets with a firstsource identifier; and addressing a second packet of the ordered set ofpackets with a second source identifier exclusively assigned to thesource node and that is different from the first source identifier. 4.The method of claim 3 wherein the first source identifiers does notidentify the source node.
 5. A method of sending a set of orderedpackets of a stream from an originating source node to a commondestination node, the method comprising: addressing a first packet ofthe ordered set of packets with a first source identifier; addressing asecond packet of the ordered set of packets with a second sourceidentifier that is different from the first source identifier; andsending the first packet and the second packet from the source node tothe destination node.
 6. The method of claim 5 wherein each of the setof ordered packets is an IP packet, and the provided identifiers are IPaddresses.
 7. The method of claim 6 wherein at least some of theprovided source identifiers do not identify the system.
 8. The method ofclaim 7 wherein none of the provided source identifiers identify thesystem.
 9. The method of claim 8 wherein the set of ordered packetsinclude the contents of a single message or file subdivided fortransmission via the set of ordered packets.
 10. The method of claim 9wherein each packet of the ordered set of packets comprises anidentifier pair that includes both the source identifier and adestination identifier of the packet, and each packet of the setcomprises a unique identifier pair.
 11. The method of claim 10 furthercomprising sending at least some dummy packets which are not part of theset ordered packets while sending the set of ordered packets.
 12. Themethod of claim 11 further comprising sending the dummy packets byproviding the dummy packets with destination identifiers that do notidentify any system. 13-14. (canceled)